firstov attacking mongo db
TRANSCRIPT
![Page 1: Firstov attacking mongo db](https://reader036.vdocuments.net/reader036/viewer/2022081506/558446e9d8b42a84368b52eb/html5/thumbnails/1.jpg)
Attacking MongoDB
Firstov Mihail
![Page 2: Firstov attacking mongo db](https://reader036.vdocuments.net/reader036/viewer/2022081506/558446e9d8b42a84368b52eb/html5/thumbnails/2.jpg)
What is it?
MongoDB — is an open source document-oriented database system.
Features :
1. Ad hoc queries.
2. Indexing
3. Replication
4. Load balancing
5. File storage
6. Aggregation
7. Server-side JavaScript execution
8. Capped collections
![Page 3: Firstov attacking mongo db](https://reader036.vdocuments.net/reader036/viewer/2022081506/558446e9d8b42a84368b52eb/html5/thumbnails/3.jpg)
Inside mongo source code
C
C++
Java
Javascript
.NET (C# F#, PowerShell, etc)
Node.js
Perl
PHP
Python
Ruby
Scala
There are a lot of drivers for different
program languages:
./mongo – official client in C++ and JS
./mongod — Server in C++
![Page 4: Firstov attacking mongo db](https://reader036.vdocuments.net/reader036/viewer/2022081506/558446e9d8b42a84368b52eb/html5/thumbnails/4.jpg)
Who use mongoDB
List of some big companies that use mongoDB:
1. SAP
2. SourceForge (hosting for open source projects)
3. The New York Times
4. GitHub (social coding project)
5. Foursquare
6. Yandex
![Page 5: Firstov attacking mongo db](https://reader036.vdocuments.net/reader036/viewer/2022081506/558446e9d8b42a84368b52eb/html5/thumbnails/5.jpg)
A RESTful web service (also called a RESTful web
API) is a web service implemented using HTTP and
the principles of REST. It is a collection of
resources, with four defined aspects
WTF is RESTful?
![Page 6: Firstov attacking mongo db](https://reader036.vdocuments.net/reader036/viewer/2022081506/558446e9d8b42a84368b52eb/html5/thumbnails/6.jpg)
How I can discover it?
Default port is «28017».
If server was started without “—rest”, you can see this:
![Page 7: Firstov attacking mongo db](https://reader036.vdocuments.net/reader036/viewer/2022081506/558446e9d8b42a84368b52eb/html5/thumbnails/7.jpg)
How I can discover it?
![Page 8: Firstov attacking mongo db](https://reader036.vdocuments.net/reader036/viewer/2022081506/558446e9d8b42a84368b52eb/html5/thumbnails/8.jpg)
What kind of vulns are there?
Execution of arbitrary code server JS
Stored XSS in mongoDB log
Stored XSS in queries journal
Cross Site Request Forgery
Our SSJS code
![Page 9: Firstov attacking mongo db](https://reader036.vdocuments.net/reader036/viewer/2022081506/558446e9d8b42a84368b52eb/html5/thumbnails/9.jpg)
Attack
MongoDB
--REST
Hacker
Site with
mongoDB
driver support
Admin’s browser
1) Send “<script>” with our javascript code
Hacker’s
Server
![Page 10: Firstov attacking mongo db](https://reader036.vdocuments.net/reader036/viewer/2022081506/558446e9d8b42a84368b52eb/html5/thumbnails/10.jpg)
Attack
MongoDB
--REST
Hacker
Site with
mongoDB
driver support
Admin’s browser
1) Send “<script>” with our javascript code
Hacker’s
Server
2) Inject our script in
REST interface
![Page 11: Firstov attacking mongo db](https://reader036.vdocuments.net/reader036/viewer/2022081506/558446e9d8b42a84368b52eb/html5/thumbnails/11.jpg)
Attack
MongoDB
--REST
Hacker
Site with
mongoDB
driver support
Admin’s browser
1) Send “<script>” with our javascript code
Hacker’s
Server
2) Inject our script in
REST interface
3) Exec our js-code in
admin’s browser
![Page 12: Firstov attacking mongo db](https://reader036.vdocuments.net/reader036/viewer/2022081506/558446e9d8b42a84368b52eb/html5/thumbnails/12.jpg)
Attack
MongoDB
--REST
Hacker
Site with
mongoDB
driver support
Admin’s browser
1) Send “<script>” with our javascript code
Hacker’s
Server
4) Send
SSJS
command to
our script
2) Inject our script in
REST interface
3) Exec our js-code in
admin’s browser
![Page 13: Firstov attacking mongo db](https://reader036.vdocuments.net/reader036/viewer/2022081506/558446e9d8b42a84368b52eb/html5/thumbnails/13.jpg)
Attack
MongoDB
--REST
Hacker
Site with
mongoDB
driver support
Admin’s browser
1) Send “<script>” with our javascript code
Hacker’s
Server
4) Send
SSJS
command to
our script
5) Wait until admin’s browser check
our server for the new commands
(via JSONP)
2) Inject our script in
REST interface
3) Exec our js-code in
admin’s browser
![Page 14: Firstov attacking mongo db](https://reader036.vdocuments.net/reader036/viewer/2022081506/558446e9d8b42a84368b52eb/html5/thumbnails/14.jpg)
Attack
MongoDB
--REST
Hacker
Site with
mongoDB
driver support
Admin’s browser
1) Send “<script>” with our javascript code
Hacker’s
Server
4) Send
SSJS
command to
our script
5) Wait until admin’s browser check
our server for the new commands
(via JSONP)
2) Inject our script in
REST interface
3) Exec our js-code in
admin’s browser
6) Our command gets executed
![Page 15: Firstov attacking mongo db](https://reader036.vdocuments.net/reader036/viewer/2022081506/558446e9d8b42a84368b52eb/html5/thumbnails/15.jpg)
Attack
MongoDB
--REST
Hacker
Site with
mongoDB
driver support
Admin’s browser
1) Send “<script>” with our javascript code
Hacker’s
Server
4) Send
SSJS
command to
our script
5) Wait until admin’s browser check
our server for the new commands
(via JSONP)
7) Send answer to our sniffer
2) Inject our script in
REST interface
3) Exec our js-code in
admin’s browser
6) Our command gets executed
![Page 16: Firstov attacking mongo db](https://reader036.vdocuments.net/reader036/viewer/2022081506/558446e9d8b42a84368b52eb/html5/thumbnails/16.jpg)
Attack
MongoDB
--REST
Hacker
Site with
mongoDB
driver support
Admin’s browser
1) Send “<script>” with our javascript code
Hacker’s
Server
4) Send
SSJS
command to
our script
8) Print result
of executed
command
5) Wait until admin’s browser check
our server for the new commands
(via JSONP)
7) Send answer to our sniffer
2) Inject our script in
REST interface
3) Exec our js-code in
admin’s browser
6) Our command gets executed
![Page 17: Firstov attacking mongo db](https://reader036.vdocuments.net/reader036/viewer/2022081506/558446e9d8b42a84368b52eb/html5/thumbnails/17.jpg)
Video
![Page 18: Firstov attacking mongo db](https://reader036.vdocuments.net/reader036/viewer/2022081506/558446e9d8b42a84368b52eb/html5/thumbnails/18.jpg)
Where we can find it?
![Page 19: Firstov attacking mongo db](https://reader036.vdocuments.net/reader036/viewer/2022081506/558446e9d8b42a84368b52eb/html5/thumbnails/19.jpg)
Stable CRASH
There are a lot of concepts of DoS attacks:
![Page 20: Firstov attacking mongo db](https://reader036.vdocuments.net/reader036/viewer/2022081506/558446e9d8b42a84368b52eb/html5/thumbnails/20.jpg)
Interesting features
Ls, cat and other admin functions work only with mongoDb console client.
NativeHelper function helps you with system commands:
You can get data in text/plain by reading db-files of mongoDB with any text editor.
![Page 21: Firstov attacking mongo db](https://reader036.vdocuments.net/reader036/viewer/2022081506/558446e9d8b42a84368b52eb/html5/thumbnails/21.jpg)
Network interaction
Adding user:
Source Code:
Decrypted salt:
![Page 22: Firstov attacking mongo db](https://reader036.vdocuments.net/reader036/viewer/2022081506/558446e9d8b42a84368b52eb/html5/thumbnails/22.jpg)
Network interaction
Captured packets:
All your data are belong to us:
![Page 23: Firstov attacking mongo db](https://reader036.vdocuments.net/reader036/viewer/2022081506/558446e9d8b42a84368b52eb/html5/thumbnails/23.jpg)
Network interaction
Algorithm for sniff and brute force password :
Sniff some packets
with mongoDB data
Look for auth
packet
Exit
Not found
Get key, nonce, login
from this packet
found
key2 = md5(nonce + user +
md5(user + ":mongo:" + passw)),
where “passw” is string from dict
Read string
from
dictionary
key == key2
false
print user:passwd
true
![Page 24: Firstov attacking mongo db](https://reader036.vdocuments.net/reader036/viewer/2022081506/558446e9d8b42a84368b52eb/html5/thumbnails/24.jpg)
Сетевое взаимодействие
![Page 25: Firstov attacking mongo db](https://reader036.vdocuments.net/reader036/viewer/2022081506/558446e9d8b42a84368b52eb/html5/thumbnails/25.jpg)
Network interaction. MiTM attack
admin
mongoDB
Hacker
1. Authorization
query
![Page 26: Firstov attacking mongo db](https://reader036.vdocuments.net/reader036/viewer/2022081506/558446e9d8b42a84368b52eb/html5/thumbnails/26.jpg)
Network interaction. MiTM attack
admin
mongoDB
Hacker
1. Authorization
query
2. Return special nonce
using which rainbow
tables were generated
![Page 27: Firstov attacking mongo db](https://reader036.vdocuments.net/reader036/viewer/2022081506/558446e9d8b42a84368b52eb/html5/thumbnails/27.jpg)
Network interaction. MiTM attack
admin
mongoDB
Hacker
1. Authorization
query
2. Return special nonce
using which rainbow
tables were generated
3. Client sends to us
“key” and “login”
![Page 28: Firstov attacking mongo db](https://reader036.vdocuments.net/reader036/viewer/2022081506/558446e9d8b42a84368b52eb/html5/thumbnails/28.jpg)
Network interaction. MiTM attack
admin
mongoDB
Hacker
1. Authorization
query
2. Return special nonce
using which rainbow
tables were generated
3. Client sends to us
“key” and “login”
4. Brute Force
password using pre-
generated rainbow
tables for this nonce
![Page 29: Firstov attacking mongo db](https://reader036.vdocuments.net/reader036/viewer/2022081506/558446e9d8b42a84368b52eb/html5/thumbnails/29.jpg)
Network interaction. MiTM attack
admin
mongoDB
Hacker
1. Authorization
query
2. Return special nonce
using which rainbow
tables were generated
3. Client sends to us
“key” and “login”
4. Brute Force
password using pre-
generated rainbow
tables for this nonce
5. Successfully login
![Page 30: Firstov attacking mongo db](https://reader036.vdocuments.net/reader036/viewer/2022081506/558446e9d8b42a84368b52eb/html5/thumbnails/30.jpg)
WTF is BSON?
What is it?
BSON is a computer data
interchange format used mainly as
a data storage and network
transfer format in the MongoDB
database. The name "BSON" is
based on the term JSON and
stands for "Binary JSON".
Example?
Data types:
string
int
double
DateTime
byte[]
bool
null
BsonObject
BsonObject[]
![Page 31: Firstov attacking mongo db](https://reader036.vdocuments.net/reader036/viewer/2022081506/558446e9d8b42a84368b52eb/html5/thumbnails/31.jpg)
Overwriting variables
Some table with 2 documents:
Our query to database:
Injecting BSON document, and overwriting “isadmin” value:
Testing:
![Page 32: Firstov attacking mongo db](https://reader036.vdocuments.net/reader036/viewer/2022081506/558446e9d8b42a84368b52eb/html5/thumbnails/32.jpg)
Reading memory
Exploit:
In action:
Length
![Page 33: Firstov attacking mongo db](https://reader036.vdocuments.net/reader036/viewer/2022081506/558446e9d8b42a84368b52eb/html5/thumbnails/33.jpg)
Reading memory
In action:
![Page 34: Firstov attacking mongo db](https://reader036.vdocuments.net/reader036/viewer/2022081506/558446e9d8b42a84368b52eb/html5/thumbnails/34.jpg)
Features of some programming languages
Ruby on Rails
nodejs
PHP
![Page 35: Firstov attacking mongo db](https://reader036.vdocuments.net/reader036/viewer/2022081506/558446e9d8b42a84368b52eb/html5/thumbnails/35.jpg)
Features of some programming languages
Ruby on Rails
![Page 36: Firstov attacking mongo db](https://reader036.vdocuments.net/reader036/viewer/2022081506/558446e9d8b42a84368b52eb/html5/thumbnails/36.jpg)
Features of some programming languages
Mass assignment in Ruby on Rails:
![Page 37: Firstov attacking mongo db](https://reader036.vdocuments.net/reader036/viewer/2022081506/558446e9d8b42a84368b52eb/html5/thumbnails/37.jpg)
Features of some programming languages
Mass assignment in Ruby on Rails:
![Page 38: Firstov attacking mongo db](https://reader036.vdocuments.net/reader036/viewer/2022081506/558446e9d8b42a84368b52eb/html5/thumbnails/38.jpg)
Features of some programming languages
NodeJS
![Page 39: Firstov attacking mongo db](https://reader036.vdocuments.net/reader036/viewer/2022081506/558446e9d8b42a84368b52eb/html5/thumbnails/39.jpg)
Features of some programming languages
JSON injection в NodeJS + MongoDB:
VULNERABLE SOURCE CODE:
RESULT QUERY:
SEND
Хакер 02/12 (157)
![Page 40: Firstov attacking mongo db](https://reader036.vdocuments.net/reader036/viewer/2022081506/558446e9d8b42a84368b52eb/html5/thumbnails/40.jpg)
Features of some programming languages
PHP
![Page 41: Firstov attacking mongo db](https://reader036.vdocuments.net/reader036/viewer/2022081506/558446e9d8b42a84368b52eb/html5/thumbnails/41.jpg)
Features of some programming languages
Types of vulnerabilities:
Bypass authorization via Array in php driver.
Injecting SSJS code.
Blind SSJS injecting, Time-based
![Page 42: Firstov attacking mongo db](https://reader036.vdocuments.net/reader036/viewer/2022081506/558446e9d8b42a84368b52eb/html5/thumbnails/42.jpg)
Features of some programming languages
As you know, php processes data from GPC as Array:
There is find() function in the official driver for php:
password[$ne]=parol1
![Page 43: Firstov attacking mongo db](https://reader036.vdocuments.net/reader036/viewer/2022081506/558446e9d8b42a84368b52eb/html5/thumbnails/43.jpg)
Features of some programming languages
And we got this query to mongoDB collection:
With these techniques you can bypass authorization:
![Page 44: Firstov attacking mongo db](https://reader036.vdocuments.net/reader036/viewer/2022081506/558446e9d8b42a84368b52eb/html5/thumbnails/44.jpg)
Features of some programming languages
Injecting in SSJS.
For example, we have this vulnerable code:
/
We can see our login, id and pass in answer
Trying to inject in SSJS query:
As you can see, we rewrite “login” value by db.version() value
$q = “function() { var loginn = ‘$login’; var passs = ‘$pass’; db.members.insert({id : 2,
login : loginn, pass : passs}); }”;
$db->execute($q);
![Page 45: Firstov attacking mongo db](https://reader036.vdocuments.net/reader036/viewer/2022081506/558446e9d8b42a84368b52eb/html5/thumbnails/45.jpg)
Features of some programming languages
Sometimes we can’t see answer from our SSJS code.
For this situations we can use Time-Based technique:
A special script was written for this task.
![Page 46: Firstov attacking mongo db](https://reader036.vdocuments.net/reader036/viewer/2022081506/558446e9d8b42a84368b52eb/html5/thumbnails/46.jpg)
NoSQL-injection Cheat Sheet
db.getName() – Get current DB name
db.members.count() – Get number of documents in the collection
db.members.validate({ full : true}) – Get ALL information about this collection
db.members.stats() – Get information about this collection
db.members.remove() – remove all documents from current collection
db.members.find().skip(0).limit(1) – Get documents from DB (Change only number in skip() function)
db.getMongo().getDBNames().toString() – Get the list of all DBs
db.members.find()[0][‘pass’] – Get “pass” value from current collection